[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Replication that works for me (was Re: )




Daniel Crandall wrote:
Hi,

I’m having trouble figuring out how to use TLS to encrypt update transmissions between the master and the slaves.

I do have certificates, and references to them in slapd.conf. Beyond that I’m at a loss. Help?



Daniel


I feel your pain. I just learned this myself.

First, you want to get replication working without TLS. Assuming you might need a tiny bit of help with that, it can be done as follows.

master:/path/slapd.conf
...
replica host=replica_server.domain.com
binddn="cn=slave,dc=domain,dc=com"
bindmethod=simple
credentials=password
replogfile /path/slurpd.replog # (/var/lib/ldap/replica/slurpd.replog in Red Hat Linux)


slave:/path/slapd.conf
...
rootbinddn	"cn=slave,dc=domain,dc=com"
rootpw		password
updatedn	"cn=slave,dc=domain,dc=com"
updateref	ldap://master_server.domain.com

There are more elegant and secure ways of enabling the updatedn than making it rootdn on the replica box, but anything other than rootdn will involve an ACL to give that dn permission to write to everything.

Second, you need certificates. Certs can be generated from an openssl rpm installation by running 'make' in /usr/share/ssl and following the instructions. You might need an official cert request (.csr) to send to Verisign, or you might only want a test cert. There was a three-part article by AEleen Frisch (author of the Armadillo Book) on setting up LDAP in Linux Magazine, early 2002. The page with ssl cert generation is here:
http://www.linux-mag.com/cgi-bin/printer.pl?issue=2002-03&article=guru


Follow the SSL cert generation part exactly, and it's a piece of cake. I've made a few other observations, though, that diverge from her article. Everywhere I read about it, everyone says that replication in openldap-2.x does not work with encrypted credentials. So... the tail of my slapd.conf's looks like this.


master:/path/slapd.conf ... replica host=replica_server.domain.com tls=critical # TLS = SSL-on-request, basically binddn="cn=slave,dc=domain,dc=com" bindmethod=simple credentials=password replogfile /path/slurpd.replog TLSCertificateFile /usr/share/ssl/certs/slapd_cert.pem TLSCertificateKeyFile /usr/share/ssl/certs/slapd_key.pem TLSCipherSuite HIGH:MEDIUM:+SSLv2

slave:/path/slapd.conf
...
rootbinddn	"cn=slave,dc=domain,dc=com"
rootpw		password
updatedn	"cn=slave,dc=domain,dc=com"
updateref	ldap://master_server.domain.com
TLSCertificateFile	/usr/share/ssl/certs/slapd_cert.pem
TLSCertificateKeyFile	/usr/share/ssl/certs/slapd_key.pem
TLSCipherSuite		HIGH:MEDIUM:+SSLv2


This works for me. Your mileage may vary a little, and there are certainly more sophisticated ways of doing it. Anyone else is welcome to add to this.


-j